Hi everyone

I am hoping for some scoping guidance regarding PII.

We have engagements with government agencies requiring us to protect CUI, technically it’s not CMMC, it’s NIST 800-53 (not 171 which surprised us a bit), but CMMC will be showing up in our contracts soon.

We receive basic personal information through our regular sales process such as first and last names and work email addresses of our government contacts that are loaded into salesforce. These are not explicitly labelled CUI but there are categories of CUI that cover this information, specifically “CUI Category: Privacy Information”.

Do we need to treat this information, and therefore systems storing and using it, as in-scope and thus need to be FedRAMP compliant such as salesforce?